Rootkit.Win32.Agent.p is almost identical to Rootkit.Win32.Agent.h with a few minor differences.


Identical to that of Rootkit.Win32.Agent.h, this Rootkit will mask the activity of a Backdoor or a hacker. This Rootkit is always installed with another malicious program, as it cannot do anything standalone. It will drop several keys into the system registry.

Keys Dropped



In [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Security]

"Security"="binary: 01 00 14 80 ..."

In [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Enum]



Removal Process

  • Boot into Safe Mode or another bootable environment
  • Delete the rdriv.sys
  • Delete the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv], [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV]
  • Clean up with MBAM


  • Kaspersky: Worm.HTML.AutoIt.p
  • Kaspersky: Trojan.Win32.Rootkit.l
  • Sophos: Troj/Rootkit-W
  • ClamAV: Trojan.Rootkit.C
  • Panda: Adware/Lop
  • FPROT: W32/Rootkit.C
  • MS OneCare: VirTool:WinNT/FURootkit.D
  • Dr.Web: Backdoor.Irc.Sdbot.55
  • BitDefender: Backdoor.Bot.30693
  • Ikarus: Rootkit.Win32.Agent.p
  • AVIRA: TR/Rootkit.Gen
  • Norman: Suspicious_Gen2.DJWJP
  • FSecure: Rootkit.Win32.Agent.p [AVP]


Securelist (Kaspersky Labs), Rootkit.Win32.Agent.p

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.